8 Business As Usual Business as Usual " Monitor security controls for effectiveness " Ensure all failures are detected and responded to " Review changes in the environment " Organizational structure changes " Periodic reviews and communication to confirm controls continue to be in place " Review hardware and software technologies

15 Can I Assess Myself? Short answer: Maybe (but you probably don t want to) Long answer: You can assess yourself, provided: You follow audit procedures Your acquirer agrees An approved officer (think President or CFO) signs on the dotted line (attesting to the veracity of the results) You re absolutely sure you re going to do it right

16 Critical Change #2 Shared Responsibilities

17 Shared Responsibility Requirement 12: Maintain an Information Security Policy For Your College: 12.8 Managing relationships with service providers Written agreements with service providers Established process for engaging service providers Monitor service provider compliance (NEW) Is information maintained about which PCI DSS requirements are maintained by each service provider and which are maintained by the entity? For Service Providers 12.9 (NEW) Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes on behalf of the customer, or to the extent that they could impact the security of the customer s cardholder data environment?

18 Example Contract Language PCI DSS COMPLIANCE: University requires that the contractor shall at all times maintain compliance with the most current Payment Card Industry Data Security Standards (PCI DSS). The contractor will be required to provide written confirmation of compliance. Contractor acknowledges responsibility for the security of cardholder data as defined within the PCI DSS. Contractor acknowledges and agrees that cardholder data may only be used for completing the contracted services as described in the full text of this document, or as required by the PCI DSS, or as required by applicable law. In the event of a breach or intrusion or otherwise unauthorized access to cardholder data stored at or for the contractor, contractor shall immediately notify to allow the proper PCI DSS compliant breach notification process to commence. The contractor shall provide appropriate payment card companies, acquiring financial institutions and their respective designees access to the contractor s facilities and all pertinent records to conduct a review of the contractor s compliance with the PCI DSS requirements. In the event of a breach or intrusion the contractor acknowledges any/all costs related to breach or intrusion or unauthorized access to cardholder data entrusted to the contractor deemed to be the fault of the contractor shall be the liability of the contractor. Vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify and hold harmless and its officers and employees from and against any claims, damages or other harm related to such breach. (USE: Include in any solicitation / contract that may involve online credit card payments). IMPORTANT: Insert the following statement into the Scope of Work (potentially in the IT section dealing with credit cards and PCI compliance): Provide documentation of your most current PCI system scan and the signature page from your Record of Compliance (ROC) or Attestation of Compliance (AOC).

20 When You Think You ve Covered All Your Bases - but what about the Off Campus Alumni Chapter Fundraiser held at private home. * Square on homeowners cell phone, or * Enter Payments on Laptop or Home Computer, or * Take Payment Info on Form and Mail In

25 WHAT YOU SHOULD BE DOING NOW Review policies and procedures Review third-party contracts Review third-party software deployment Review relationship with the university Awareness training for all employees

29 COMMON SENSE RULES BUSINESS AS USUAL Never leave a laptop or other computer device unattended Always log out of a computer when it is unattended Make sure anti-virus software is current and running Never download items without authorization If you suspect breach of security, contact IT department immediately

30 Take-Aways Critical changes in v3.1 Implement compliance as business as usual All employees, students, and volunteer workers are in-scope Awareness training a must! Involve your IT/network security department Make sure your business partners are PCI DSS compliant You are probably doing most things right already

Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know

PCI: The Dark Side May 2012 Roanoke, VA Agenda The problem Who are they? Why? What do they steal? How do they do it? What can they do with it? How can you stop it? Ron King, Ed Ko, CampusGuard CampusGuard

PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information

PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management

2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.

Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over

Understanding the SAQs for PCI DSS version 3 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS

WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance

2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS David Clevenger November 2015 Summary Payment Card Industry (PCI) is an accreditation body that

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security

cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

What Every Director Needs to Know About Credit Cards & Patron Privacy Complying with PCI is a necessary step in safely accepting Payment Cards. Know the Risks! Some Interesting Facts: 94% of data breaches

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry